Escolar Documentos
Profissional Documentos
Cultura Documentos
• The ASCII string is stored as the bytes 0x42, 0x41, 0x44, and 0x00,
where 0x42 is the ASCII representation of a capital letter B, 0x41
represents the letter A, and so on.
• The 0x00 at the end is the NULL terminator.
Finding Strings
• Following figure shows the string “BAD” stored as Unicode.
• The Unicode string is stored as the bytes 0x42, 0x00, 0x41 …..
• Strings searches for a three-letter or greater sequence of ASCII
and Unicode characters, followed by a string termination
character.
• Strings program ignores context and formatting, so that it can
analyze any file type and detect strings across an entire file
• Though this also means that it may identify bytes of characters as
strings when they are not.
Finding Strings
• Most invalid strings are obvious, because they do not represent
legitimate text.
• For example, the following excerpt shows the result of running
Strings program against the file bp6.ex_:
Finding Strings
• If a string is short and doesn’t correspond to words,
it’s probably meaningless.
• On the other hand, the strings GetLayout and
SetLayout are Windows functions used by the
Windows graphics library.
• We can easily identify these as meaningful strings
because Windows function names normally begin
with a capital letter and subsequent words also begin
with a capital letter.
• GDI32.DLL is meaningful because it’s the name of a
common Windows dynamic link library (DLL) used by
graphics programs.
• DLL files contain executable code that is shared
among multiple applications.
Finding Strings
• 99.124.22.1 is an IP address—most likely one that the
malware will use in some fashion.
• The string “Mail system DLL is invalid.!Send Mail failed
to send message.” is an error message.
• Often, the most useful information obtained by running
Strings is found in error messages. This particular
message reveals two things:
– The subject malware sends messages (through email), and
– It depends on a mail system DLL.
• This information suggests that should:
– check email logs for suspicious traffic, and
– another DLL (Mail system DLL) might be associated with this
particular malware.
Finding Strings
• Note
– the missing DLL itself is not necessarily malicious
– malware often uses legitimate libraries and DLLs to further its goals.
Packed and Obfuscated Malware
• Malware authors often use packing or obfuscation to make their
files more difficult to detect or analyze.
• Obfuscated programs are ones for which the author has
attempted to hide execution.
• It is the deliberate act of creating source or machine code that is
difficult for humans to understand. It may use needlessly
roundabout expressions to compose statements
• Types include simple keyword substitution, use or non-use of
whitespace and self-generating or heavily compressed programs.
• Packed programs are a subset of obfuscated programs in which
the malicious program is compressed and cannot be analyzed.
• Both of these techniques will severely limit your attempts to
statically analyze the malware.
Packed and Obfuscated Malware